Computer viruses (or, more simply, viruses) are a major problem in modern day computing. Viruses can be, for example, designed to replicate themselves by attaching themselves to non-virus software. More generally, a virus may be a program (or some unit of code; for example, instructions to which the computer responds, such as a code block, code element, code segment or the like) that may attach to other programs and/or objects, may replicate itself, and/or may perform malicious (or simply unsolicited) actions on a computer system (at a minimum, illicitly consuming system resources). For example, a virus might attach a copy of itself to a spreadsheet program, word processing document, Internet browser, computer game or the like. After a program has been “infected” with a virus, each time the infected program is executed, the virus is also executed, further replicating the virus. Because the presence of computer viruses often goes undetected, viruses can cause unexpected and harmful results. For example, viruses can delete files, alter system settings, and consume system resources. In fact, although described herein as relating to viruses, the present disclosure may be applied to any type of code capable of altering or consuming one or more of a computer's resources or activities, or any portion thereof.
Virus detection software has been developed to detect and eliminate various types of viruses. Virus detection programs typically scan computer files for specific bit patterns associated with known viruses. These bit patterns are often referred to as virus signatures. Scanning files for virus signatures can be a slow and resource draining process. Various techniques have been developed to limit the scope of signature searches. One such technique is “scalpel scanning”, which limits signature searching to the parts of file that are likely to contain virus entry points. However, there is a trade-off between the coverage provided and the resources consumed.
Unfortunately, virus writers have thwarted many signature-scanning techniques by creating randomly encrypted and polymorphic viruses. Randomly encrypted viruses are difficult to detect because each new copy of the virus is randomly encrypted, so new virus copies may not exhibit traceable signatures until they are decrypted. Randomly encrypted viruses remain encrypted until just before execution, when they perform self-decryption, which may reveal known signatures. Polymorphic viruses are also difficult to detect because they change their encryption logic with each new infection. That is, the virus produces different encrypting and decrypting code for each new virus that is inserted into non-virus software. Because the encryption/decryption code is constantly changing, copies of the virus may not include traceable signatures, even when the virus is not encrypted.
In response to the more intractable viruses, some virus detection systems emulate executable programs in secure portions of memory. Because encrypted viruses decrypt themselves before executing, emulating potentially infected programs can produce viruses in a decrypted state. Matching decrypted viruses with known virus signatures is typically more effective than doing the same with encrypted viruses. During emulation, the emulator periodically scans the secure memory portion for known virus signatures. If the emulator finds known virus signatures, the corresponding non-virus programs are processed and viruses are removed.
One disadvantage of using emulators to search for virus signatures is that emulators can miss known viruses when the viruses execute before being processed by the emulator, thus infecting the device prior to detection. Another disadvantage is that some viruses are “aware” of emulators and thus will not decrypt themselves when being emulated.
As can therefore be seen, while scanning and emulation can provide some protection, these techniques, in and of themselves, do not provide complete protection. It is therefore desirable to provide a higher level of protection from viruses than is presently available. Moreover, it is desirable to provide such protection in a manner that is easy to use, administer and maintain.